Bug 1118169 (CVE-2014-2970)
Summary: | CVE-2014-2970 openssl: client-crash when parsing SRP parameters (VU#904060) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jrusnack, security-response-team, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-07-10 08:36:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1118171, 1127468 |
Description
Huzaifa S. Sidhpurwala
2014-07-10 06:36:46 UTC
The version of openssl as shipped with Red Hat Enterprise Linux 5, 6, and 7 does not support the Secure Remote Password (SRP) protocol as an authentication method for the Transport Layer Security protocol and therefore is not affected. This issue does not affect the version of openssl as shipped with Fedora 19 and Fedora 20. Public now via upstream commit: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=80bd7b41b30af6ee96f519e629463583318de3b0 It seems this issue got another duplicate CVE id CVE-2014-5139 (bug 1127491) assigned to this issue by OpenSSL upstream. Note that SRP support was introduced upstream in version 1.0.1. https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=edc032b https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0deea0e CVE-2014-2970 was also incorrectly used to refer to the LibreSSL PRNG re-seeding issue described in: https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux/ Because of the incorrect use, the id has already been rejected as duplicate: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2970 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality for certain process-bifurcation use cases that might arise in future LibreSSL-based applications. There is no CVE ID associated with this LibreSSL code change. As of 20140730, CVE-2014-5139 is an undisclosed vulnerability in a different product, with ongoing vulnerability coordination that had previously used the CVE-2014-2970 ID. *** This bug has been marked as a duplicate of bug 1127491 *** |